Your ransomware nightmare just came true – now what?
- Reference: 1749209408
- News link: https://www.theregister.co.uk/2025/06/06/ransomware_negotiation/
- Source link:
There's a growing market of firms that advise extortion victims on how to handle the situation, but that just adds another invoice to the injury, and some still prefer to go it alone. In the end, while a few companies do ignore ransom demands outright, all at least assess their options before deciding whether to negotiate, restore from backups, or pay up.
"I believe less than a quarter of the organizations last year that we assisted ended up going on their own and settling with the threat actor," explained Andrew Carr, senior manager of business development with Booz Allen's Commercial Incident Response team.
[1]
So how should you proceed?
[2]
[3]
First, take a look at the infected machines to see what exactly is going on and if there's information on how the infection occurred so security holes can be patched up.
For companies that have cyber insurance, the insurer will often appoint someone to do just that, according to an independent ransomware negotiator who asked to remain anonymous to avoid being targeted by criminals. Insurance companies are spending a lot of time and effort examining the ransomware ecosystems because they are having to pay out increasingly large sums as the ransomware plague spreads.
[4]
Next up, companies usually wipe their systems clean and restore them from backups. The wiping is particularly important, since once someone has gained access to your network, they could well have left other malware behind to get a second bite of the cherry.
This holds true even if victims decide to pay up – once a system has been penetrated, it must be thoroughly checked for remaining threats. Getting the ransomware key is one thing, but the system should still be regarded as at risk, even after decryption.
When you have to pay
Although the majority of ransomware victims don't pay up, some feel they have to. Maybe it would take too long to wipe and restore all affected systems, or maybe the backups are insufficient, given the scope of the infection.
As we've seen in the [5]Colonial Pipeline and [6]UnitedHealth attacks, the CEOs were quite blunt about their reasons for paying – service had to be restored, fast.
In the case of Colonial, it was an emergency. Panic buying was leading to shortages and fistfights were breaking out at gas stations across the US East Coast. The decision was made to suffer the pain and pay up.
[7]
With the Change Healthcare cyberattack, parent company UnitedHealth forked over [8]$22 million in bitcoin to the ALPHV/BlackCat gang, since pharmacies were in chaos and prescriptions desperately needed to be filled. Incidentally, this was one of the relatively rare cases where the gang did rip off its affiliates, the ransomware negotiator told The Register .
Most ransomware infections contain contact information for the attackers. If you feel you have to negotiate, it's important to know who you're dealing with. Typically, ransomware-as-a-service operators let affiliates make the actual intrusion, then take over negotiations and kick back a percentage to the initial attacker.
The reason for this central control is that it allows the malware developer to ensure their brand - such as it is - remains untarnished. While there have been cases of people infecting victims or stealing data, taking the payoff, and then [9]double-crossing the payer, that's bad for business.
"Trust is a massive part of this," the ransomware negotiator said. If the gang has a reputation for delivering a solution once victims have coughed up the fee, then it's easier to extort money.
[10]Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes
[11]Ransomware scum leak patient data after disrupting chemo treatments at Kettering
[12]Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
The major gangs have full-time staff who manage negotiations, ensure delivery, develop better malware, and so on, the ransomware negotiator explained. Typically, they'll pitch the first demand at around 5 percent of annual revenue. The trick to reducing the sums is playing the long game.
The longer the negotiation goes on, the more the price is likely to drop, he opined. The extortionists just want the money and "it will tie up with the negotiator so they just kind of go, 'Well, you know, screw this. Let's just give them a nice, generous discount'," he added.
There are exceptions. After going through chat logs related to LockBit, the ransomware negotiator told us, he noticed a lot of amateur teens seem to be using rent-a-ransomware kits. These folks are more likely to negotiate themselves, then take the money and run, as they have no reputation to preserve.
But they're also more likely to cave, as we saw in the recent ransomware infection at PowerSchool - the original infection actually happened upstream at an unnamed telco, but they refused to pay, so the attackers used info gained in that first attack to target the education software provider [13]instead , according to legal documents connected to a guilty plea from a 19-year-old attacker. PowerSchool paid up, but the data was still apparently out in the wild and remained undeleted, leading to [14]further extortion attempts against PowerSchool customers.
As far as payment goes, everyone we spoke to agreed that bitcoin was the preferred payment method. It's convenient and, importantly, usually untraceable. While coin mixing technology – which seeks to launder the digicash using a mass of transactions – is improving, it's still possible to beat. In the case of Colonial, most of the ransom [15]was recovered , and one Dutch university not only recovered the ransom but [16]made a profit because the price of bitcoin had risen while they were doing so.
If you seek help, mum's the word
If you do hire a professional to help, don't let the criminals know what's going on, Carr advised.
"We don't go in and say I'm from X company, here on behalf of this victim organization. You pretend, typically, that you are a member of that organization. That way it just seems more natural. And some of the groups actually have animosity towards professional organizations that assist in these cases."
Similarly, if you have insurance, it's vital not to let on when negotiating with the extortionists. At the recent RSA security conference, Dutch police [17]explained that in addition to encrypting some systems, the crooks also look for documents related to cyber insurance. If the victim has coverage, the amount they demand goes way up.
But it shouldn't come to that. The vast majority of ransomware operators just want low-hanging fruit – people without even basic endpoint protection who can just be spammed with malware, Carr said. Larger companies should be able to fight off all but the most determined, well-resourced attackers.
And that's the root of the issue. Payment is likely to fund further criminal activity, so caving to the demands is making attacks more likely in the future. Carr said that if it came to a decision to pay, then his job was over – "we're hands off in that," he concluded. ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEMQiV889TeecXgYWLNQ_QAAA0k&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEMQiV889TeecXgYWLNQ_QAAA0k&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEMQiV889TeecXgYWLNQ_QAAA0k&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEMQiV889TeecXgYWLNQ_QAAA0k&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2021/06/09/old_vpn_colonial_pipeline/
[6] https://www.theregister.com/2024/04/30/unitedhealth_ceo_ransom/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEMQiV889TeecXgYWLNQ_QAAA0k&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/03/04/alphv_ransom_payment/
[9] https://www.theregister.com/2025/05/08/powerschool_data_extortionist/
[10] https://www.theregister.com/2025/06/04/play_ransomware_infects_900_victims/
[11] https://www.theregister.com/2025/06/04/ransomware_scum_leak_kettering_patient_data/
[12] https://www.theregister.com/2025/05/31/gangexposed_coni_ransomware_leaks/
[13] https://www.theregister.com/2025/05/21/teenager_extortion_powerschool/
[14] https://www.theregister.com/2025/05/08/powerschool_data_extortionist/
[15] https://www.theregister.com/2021/06/08/antiransomware_task_force/
[16] https://www.theregister.com/2022/07/05/maastricht_university_ransom_return/
[17] https://www.theregister.com/2025/04/16/dutch_ransomware_study/
[18] https://whitepapers.theregister.com/
Re: Stop paying. Stop making excuses for piss-poor IT.
Set fines equal to the ransom paid. It's unlikely that even insurance will pay a fine.
Company reporting should require annual reports to include statements about testing of business recovery plans and their testing and also a security audit. Yes, poor audit results and inadequate recovery plans will make a business easier targets so those things should affect share price and once expenditure on preparedness improves the share price it ceases to be seen as a cost to be avoided.
Re: Stop paying. Stop making excuses for piss-poor IT.
"Set fines equal to the ransom paid"
If you are going to make it illegal, make it an automatic jail sentence. Otherwise companies will just consider the fine part of the payoff.
Re: Stop paying. Stop making excuses for piss-poor IT.
What genuinely annoys me about "cybersecurity professionals" is that every time I ask about wage decimation, offshoring, outsourcing etc. I just get "well the company is going to do X, and we need to work in that framework "
They tend to be aghast at my wanting to make CEOs legally liable as well as my wanting to tazer users who won't take the training. HR use it as a checkbox. People who scream loud enough get to avoid training & the assumption is "IT will sort it out".
As SOON as helpdesk etc is offshored, then risk registers should be screaming.
When corporations making $$$$ refuse to pay for the multitude of tools and insist on running at 50% staff across the board get hacked, then the mangement need to be held to account.
I mean, I'm not ever going to do the free over time that IT staff seem to rush into doing OR put in the hacks or drag equipment out in terms of lifespan.
Make the act of paying ramsons illegal. Hold the senior mangement legally liable & if the shareholders lose their shirts because the company goes to the wall....tough
Re: How many people are allowed to die?
"Excuses like "service had to be restored, fast." are just that; excuses. "
If a ransomware attack shuts down hospitals in a region and a number of patients are expected to die for lack of treatment, how many are allowed to die?
Or, how long can a city be without water or electricity before they can pay? Or should this be indefinite and people should just migrate out of the city?
Would you hold up this remarkable ethical stance if it were your loved ones on the line?
Re: How many people are allowed to die?
Computers don't treat patients, doctors and nurses do that. All hospitals should have appropriate procedures in place so that they can function in the event of a breakdown in their IT systems.
Imagining that an IT failure could lead to people dying for lack of treatment is unfounded.
Likewise, the provision of water and electricity is about delivering a critical service to society. The companies or government departments responsible for delivering such services have a duty to ensure that the services can still be provided in the event of an IT issue or other operational emergency. Not delivering on that duty should be associated with legal consequences for those who neglect it.
My stance is not remarkable. What is remarkable is the lies and excuses that get rolled out to justify inaction and failure to properly discharge responsibilities.
The scourge of ransomware is not going away while ransoms continue to be paid. If you're suggesting that the status quo should be maintained because of some hand waving, that is itself remarkable.
Re: Stop paying. Stop making excuses for piss-poor IT.
Every time I see one of these posts about making ransomware payments illegal with draconian penalties, I ask myself exactly how simple minded the proponent must be. While it looks good on paper, legal penalties for ransomware payment will create a perverse incentive to avoid disclosing the attack and give the attacker additional leverage over the victim, thus likely making the ransomware problem even worse. Furthermore, it's easy to criticize these organizations for being attacked (and the criticism is definitely warranted), but the attackers only have to be good once, while the defender has to be perfect every time.
I've said it before, and I'll say it again: if you really want to undercut the profit motive in these attacks, ban or heavily regulate trading in cryptocurrency. Eliminate the medium of exchange, and the business will fall apart.
"And some of the groups actually have animosity towards professional organizations that assist in these cases."
That seems stupid. Establishing a working relationship should make things easier for them.
Unless of course the ransomware folks know that when negotiators get involved, it causes them time, hassle and eventually a lower payout.
It's a bit like where I once worked, corporately the organisation had animosity towards the Union because the Union were very good at their job and had a reputation for airways winning.
Paying is a bad idea, not only your information will be sold and leaked anyway but you literally don't know if they will actually decript your files or leave you hanging. And nothing says they won't ask for more money and or attack you again.
How about...
Doing ALL of these:
1. Wiping any potentially infected system, and restoring from backups.
2. Negotiate with the hackers, but...
3. Never, ever actually make a payment - just keep their negotiators tied up for as long as possible.
In other words, not only do they not get paid, it costs them money instead.
Stop paying. Stop making excuses for piss-poor IT.
The only way to stop ransomware is to stop paying the ransom. It should be illegal to pay these scum a single milliSatoshi.
Excuses like "service had to be restored, fast." are just that; excuses. If your backup and recovery plans and your security systems are so poor that you can't recover from a ransomware attack, then the fault lies completely with you. If the company that you run is large enough to be considered "essential infrastructure" - like Colonial and Change Healthcare, then not having the technical ability, backups and expertise needed to recover from ransomware should be considered a failure of due diligence and the company involved should be fined appropriately.
Running a cowboy operation that makes lots of profit because you neglect to spend money ensuring that your systems are well defended and recoverable is mismanagement. At large scales, this mismanagement should be a criminal offence.
The rot won't stop as long as the income is there.